DIFC Data Protection Notifications - Saif Chartered Accountants

DIFC data protection law requires businesses to take action before October deadline

DIFC Data Protection Law, which came into effect on July 1, businesses in the DIFC have three months to update their policies, processes and contracts to reflect the requirements of a wide-ranging new set of requirements, which include expanded rules on the processing of personal data, new rights for data subjects, and notification of data breaches.

Notifications are a statutory requirement under the Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law”) and
process details are set out in the Data Protection Regulations 2020 (the “Regulations”). Every DIFC registered entity that
processes Personal Data or Special Category Data must notify the Commissioner of Data Protection (“Commissioner”)
about such processing. Personal Data is defined in the DIFC DP Law as, “Any Data referring to an Identifiable Natural Person” and
Special Category Data is defined as, “Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin,
communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union
membership and health or sex life and including genetic data and biometric data where it is used for the purpose of
uniquely identifying a natural person.” Such data includes but is not limited to name, address, business or personal email
address, business or personal phone numbers, geolocations, job title or other employee data, health and biometric data,
religious affiliations or criminal history.

How do I notify?

The notification is available on the Client Portal (login to https://portal.difc.ae/ signin, using the assigned portal username and password).
DIFC entities can submit a notification through the DIFC Client Portal. Process:
Login to https://portal.difc.ae/signin, using the assigned portal username and password given by the Registry Services.
Navigate to ‘Company Services’, look for “Notification of Personal Data operations”, and click on this service.
Complete the service request and submit
If the notification satisfies the Commissioner’s requirements, the portal user will receive an email notification that the request has been approved. The notification is valid for twelve (12) months and must be renewed if
personal data continues to be processed.
DIFC entities must notify the Commissioner as soon as possible and in any event within 14 days of any Personal Data Processing.

What businesses need to do

Firstly, businesses will need to conduct a thorough review of their current and future planned processing activities to identify what personal data is being collected and ensure that any data being collected is relevant, accurate and being processed for the specific purpose for which it was collected. This includes ensuring it has a lawful basis to process such data.

Businesses should also look at populating registers of processing activities that record personal data use and start raising internal awareness of the new requirements. They should look to update privacy notices and customer facing terms and conditions to address the changes in the DP Law – this will include alerting customers to their new data subject rights – and review and remediate existing controller/processor contractual arrangements and put contracts into place with processors that contain the mandatory provisions as required by the DP Law.

In addition, businesses registered in DIFC should start implementing new data breach procedures to ensure that notifications are made to the commissioner and data subject, as required, in a timely manner.

DIFC data protection law requires businesses to take action before October deadline

How do I notify?

Related Posts

Leave a Reply Cancel Reply